Backend to backend communication through REST with Keycloak protected backends
by Eldar Zakiryanov
I have two webapps. Each has frontend(AngularJS) and backend(Java). Each
frontend has it's own public access type configuration keycloak.json file.
Each backend has it's own bearer-only access type configuration
keycloak.json file. Each frontend app is working fine with it's own
backend. My task is make REST call to each other(backend to backend). How
could I achieve that? Because on each backend REST sevices are protected by
checking token validity and if you try to use it "Token issuer" error will
happen.
7 years, 11 months
Disable Authenticator menu in user account service
by nicolas heldmaier
Hello,
I'm currently configuring keycloak, and i wont use OTP authenticator. But i
cant make the authenticator menu not to show in user account service.
i saw this sentence in the doc :
"The Authenticator menu item allows the user to set up OTP if they desire.
This will only show up if OTP is a valid authentication mechanism for your
realm"
But i dont find where to declare that OTP is not a valid authentication
mechanism.
Best Regards.
Nicolas.
7 years, 11 months
Some questions between Keycloak and RESTEasy security modules.
by Weinan Li
Hi,
Currently Wildfly is using two RESTEasy security modules: `jose-jwt` and `resteasy-crypto`. Keycloak contains part of the features in these two security modules. For example, some classes are the similar between resteasy and keycloak, such as `DerUtils` in both `resteasy-crypto` and `org.keycloak.common.util`, but other parts are different, resteasy-crypto and jose-jwt in resteasy side contains more classes and tools. Shall we move all the work of `jose-jwt` and `resteasy-crypto` into Keycloak side in the future and deprecate these two modules in RESTEasy side? Current status of resteasy security modules:
- jose-jwt / Used by Wildfly, shall we move the codes to Keycloak?
- resteasy-crypto / Used by Wildfly, shall we move the codes to Keycloak?
- keystone / Should be deprecated and replaced by Keycloak
- resteasy-oauth / Should be deprecated and replaced by Keycloak
- skeleton-key-idm / Should be deprecated and replaced by Keycloak
- Weinan Li
7 years, 11 months
Get UserStorageProvider Implementation from session
by Ilya Korol
Hello. Is it available to retrieve my custom UserStorageProvider(USP)
Implementation from KeycloakSession instance.
I defined CustomInterface and add its implementation to my USP, and then
in custom Admin Rest endpoint i try to get its instance from session object.
session.getProvider(CustomUserStorageProvider.class) == null
//true
session.getProvider(CustomUserStorageProvider.class, "cusp-id") == null
// true
session.getProvider(UserStorageProvider.class) == null
//true
session.getProvider(UserStorageProvider.class, "cusp-id") == null
// true
but retrieving other provider works fine:
session.getProvider(EmailProvider.class) == null
// false
I tried to deploy my USP via maven-wildfly-plugin and via putting its
jar to keycloak_home/../modules anyway i failed to get it from session.
7 years, 11 months
User attributes does not update in Keycloak external IDP when the scope is changed
by ansarihaseb
In a custom OIDC Identity Provider I have different scopes from external IDP
which eventually comes up with different sets of parameters. For e.g. for
scope1 data coming would be name, place, age and when scope2 is used the
data would be name, place, age, address and phone. For scenario scope1 used
to login, it works perfectly fine and gets all attributes which I set for
scope1 but when I change the scope to scope2 and login with the same user I
expect that the parameter address and phone would be added to the user
attributes but it doesn't. Where am I going wrong in this ?
--
View this message in context: http://keycloak-user.88327.x6.nabble.com/User-attributes-does-not-update-...
Sent from the keycloak-user mailing list archive at Nabble.com.
7 years, 11 months
Policy Enforcer in Spring Security Adapter
by Илья Король
Does Spring Security Adapter completely support Keycloak Authorization
Capabilities?
We use Keycloak 2.5.5, and trying to use authorization features of keycloak.
1. First time i tried to enable authorization for <bearer-only> client. In
admin console i set client type to <bearer-only> then i defined resource
/profile, rule-policy (is ROLE_USER granted) and permission for /profile
resource with mentioned policy.
Keycloak gave me following config:
{
"realm": "test",
"bearer-only": true,
"auth-server-url": "http://localhost:8081/auth",
"ssl-required": "external",
"resource": "apps-backend",
"credentials": {
"secret": "74070785-cabf-4d28-83d7-f2dc31f081f5"
},
"policy-enforcer": {}
}
At start application failed due client configured as <bearer-only> in
keycloak so i changed it to confidential
(in keycloak.json it remains as "bearer-only": true)
when application starts i can see log messages that paths could not be
found, so adapter takes them from keycloak server.
next if i try to send request via postman with "Authentication": "Bearer
${access_token}" (token retrieved from keycloak via another direct_grant
client) i can see that adapter recognized realm roles, but there is nothing
in logs about anything related to permissions or authorization.
After RTFM i realized that i should use PRT token. So i got it via
Entitlement API and repeat request to application with RPT as bearer token
(according to documentation). But nothing changes.
Also if i try to get AuthorizationContext i will get null:
Authentication auth =
SecurityContextHolder.getContext().getAuthentication();
KeycloakPrincipal principal = (KeycloakPrincipal)
auth.getPrincipal();
principal.getKeycloakSecurityContext().getAuthorizationContext()
// THERE i GOT NULL
Then i tried to manually add all resource configs to adapter config
(keycloak.json). Nothing changes except that if i define some scopes for
resource in logs i get "... scopes: [] ..."
Then i tried to configure client similarly to "photoz-restful-api" (from
keycloak/examples/authz/photoz/photoz-restful-api/) so in keycloak client
configured as confidential with standard-flow but in adapter config it set
to "bearer-only". Fail again(
So i don't know to which direction i should dig. Is there my mistakes or
Spring Adapter does not fully support these features.
Another question for that i didn't find clear answer in documentation is
when and how Policy Enforcer works? For example if i make GET request to
/resource should i manually check AuthorizationContext for appropriate
permissions or Policy Enforcer will recognize requested path and challenge
permissions from provided bearer (RPT?) token before request processing
achieve any controller code?
P.S. here some slice of RPT token (token for admin user which has
permissions for all resources - keycloak evaluation page states that i my
configuration is right):
"realm_access": {
"roles": [
"ROLE_USER",
"ROLE_ADMIN"
]
},
"resource_access": {
"realm-management": {
"roles": [
"view-identity-providers",
"view-realm",
"manage-identity-providers",
"impersonation",
"realm-admin",
"create-client",
"manage-users",
"view-authorization",
"manage-events",
"manage-realm",
"view-events",
"view-users",
"view-clients",
"manage-authorization",
"manage-clients"
]
},
"account": {
"roles": [
"manage-account",
"view-profile"
]
}
},
"authorization": {
"permissions": [
{
"resource_set_id": "1faf5618-6229-4919-80f9-971eeae2330d",
"resource_set_name": "User Profile"
},
{
"scopes": [
"urn:apps-backend-second:scopes:profile:userinfo:edit",
"urn:apps-backend-second:scopes:profile:userinfo:view"
],
"resource_set_id": "5d9fdee7-7d14-4a16-9800-2adc25734463",
"resource_set_name": "User Info"
},
{
"scopes": [
"urn:apps-backend-second:scopes:profile:permissions:view"
],
"resource_set_id": "33ed1b64-9d4c-445c-a59d-e5090d67c549",
"resource_set_name": "User Permissions"
}
]
}
7 years, 11 months
token vs cookie for clients
by Avinash Kundaliya
Hello,
I have a question that is more related to OAuth2 in general. If i am using
keycloak with a web application. The backend has the token, is it suggested
for the client to also communicate with the backend using the JWT or rather
manage its own session and cookies.
I think its better to manage own session and cookies, but also curious how
would single sign out work in those cases?
I hope this is quite a basic question and there are defined ways to
approach such issues.
Thanks for all the help.
--
---
Avinash Kundaliya
avinash(a)avinash.com.np
http://avinash.com.np
7 years, 11 months
SAML identity broker Client ID/Issuer
by Ulrik Nejsum Madsen
We are trying to configure Keycloak to act as an identity broker for a SAML 2.0 IdP. Using the “quickstarts/app-profile-jee-vanilla” project as a basis, we added the wildfly client adapter and set up an Identity Provider of type SAML 2.0.
Our customer configure an entityID at the IdP. Example:<https://saml.myapp.com/myservice>. We set the Client ID to equal our entityID and expected the Issuer element to contain this value. Keycloak redirects correctly, however, in the AuthnRequest sent to the IdP, the Issuer element contains a URL at the Keycloak server realm (<https://saml.kombit.dk:8543/auth/realms/demo>https://saml.myapp.com/ <https://saml.myapp.com/myservice>auth/realms/demo) and Keycloak stripped part of our Client ID (/myservice).
Is the Issuer value configurable and if so, where?
Thanks
Anders and Ulrik
7 years, 11 months
